Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

NON-MERAKI Site-To-Site VPN - network translation v18.2xxx

Solved
MannyElPollo
Here to help
3 weeks ago
3 weeks ago

NON-MERAKI Site-To-Site VPN - network translation v18.2xxx

Hey All,

 

Just wanted to post here and see if anyone ran into this before while running firmware v18.2xxx version

 

Currently have a NON-MERAKI S2S VPN tunnel configured using "IKEv1"

We're translating a /23 subnet to a single /32 

MannyElPollo_0-1724419402778.png


So that any clients on the /23 show up as a single host (whitelisted on vendor end)

 

All this works properly on firmware v18.1xxx, however whenever we upgrade to v18.2xxx randomly some clients would be able to access the remote host (specifically port 443/https) and some others WILL NOT -no common denominator- almost like if Meraki is NOT translating the full /23 subnet properly... weird part is ICMP/PINGS work properly (strange)

 

Anyways for now we have rolled back to v18.1xxx and confirmed tunnel working no issues both ICMP/PINGS and more importantly port 443/https traffic

 

Let me know thoughts 🙂 maybe I shall submit it as a "bug"

 

Thanks!

 

0 Kudos
Subscribe
1 Accepted Solution
In response to MannyElPollo
JonnyM
Getting noticed
3 weeks ago
3 weeks ago

For 'advanced' stuff like this I have previously deployed a non-Meraki firewall alongside an MX and then created static routes between the two boxes. We had an MX running our office about four years ago but needed 20-30 IPsec tunnels to other organisations and I did them all on a Netgate appliance because things like routed tunnels weren't an option on the MX. Knowing the limitations of the MX platform and trying to keep your usage within the constraints is half the work of designing Meraki implementations. 

View solution in original post

Subscribe
6 Replies 6
RaphaelL
Kind of a big deal
Kind of a big deal
3 weeks ago
3 weeks ago

Hi ,

 

NMVPN is really hard to troubleshoot on it's own. I highly suggest to involve Support on that one

0 Kudos
Subscribe
In response to RaphaelL
MannyElPollo
Here to help
3 weeks ago
3 weeks ago

Yea- engaged them and one thousand packet captures later....

 

ONLY FIX was roll back to "v18.1xxx" which fixed issue- 

 

xD

Subscribe
jimmyt234
Building a reputation
3 weeks ago
3 weeks ago

The documentation on this feature states: "This feature is only supported for Auto VPN and is not intended to work with non-Meraki VPN peers."

 

Using Site-to-site VPN Translation - Cisco Meraki Documentation

Subscribe
In response to jimmyt234
MannyElPollo
Here to help
3 weeks ago
3 weeks ago

@jimmyt234 wrote:

The documentation on this feature states: "This feature is only supported for Auto VPN and is not intended to work with non-Meraki VPN peers."

 

Using Site-to-site VPN Translation - Cisco Meraki Documentation

 

Noted- seems like a "basic" functionality a firewall would have...🤔 (subnet translation)

 

hey at least it works 🙂

Subscribe
In response to MannyElPollo
JonnyM
Getting noticed
3 weeks ago
3 weeks ago

For 'advanced' stuff like this I have previously deployed a non-Meraki firewall alongside an MX and then created static routes between the two boxes. We had an MX running our office about four years ago but needed 20-30 IPsec tunnels to other organisations and I did them all on a Netgate appliance because things like routed tunnels weren't an option on the MX. Knowing the limitations of the MX platform and trying to keep your usage within the constraints is half the work of designing Meraki implementations. 

Subscribe
In response to JonnyM
MannyElPollo
Here to help
3 weeks ago
3 weeks ago

Marked as solution-

 

10000% agree; for some of our most advanced deployments we even reverted to virtual NETGATE appliances for VPN tunnels

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.